Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't quite get what they are currently doing. Is it that they have some kind of Internal mitm proxy that proxies every TLS session with external hosts, recording the conversation for later offline analysis? Why wouldn't they still be able to do that? Or are they just worried about their ability to intercept internal conversations? I'd be really interested to know what a typical bank security architecture looks like, does anyone have a reference for further reading perhaps?


They don't MITM, they record sessions and later decrypt out-of-band as needed.

With TLS 1.3, they would need to MITM, which require infrastructure changes and potentially affects the performance.

They are complaining TLS 1.3 forces them to do work they otherwise wouldn't have to do.


But how doe they get access to the keys for the session without modifying the end hosts or MITM'ing the traffic?


> without modifying the end hosts

They have full control of the end hosts. That's why the group policy forces you to use Internet Explorer instead of letting you use Firefox.


Hmm, but why can't they just then record the session keys as before even for forward secure TLS (presuming we are talking about clients inside the bank initiating TLS sessions to external parties)?


Ah well they're banks you see and "doing things" requires spending money which they're rather averse to.

Also never use the word just outside the context of law.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: